Cryptographic Solutions for Data Integrity in the Cloud
|
|
- Lisa Bishop
- 5 years ago
- Views:
Transcription
1 Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012
2 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy.
3 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. The Cloud pk
4 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k
5 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2 c i = encryption of ith score.. Kevin c k sk
6 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? sk
7 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? c sk c = encryption of mean
8 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? Validity: c decrypts to the correct mean. c sk c = encryption of mean Security: no adversary can obtain any info about scores. Length efficiency: c is short. Privacy: decrypted mean reveals nothing else about data.
9 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity.
10 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity.
11 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk
12 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k σ 1 = signature on ( grades, 91, Adam )
13 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... pk Kevin 84 σ k σ 1 = signature on ( grades, 91, Adam )
14 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk signed grades Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? pk σ 1 = signature on ( grades, 91, Adam )
15 Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk signed grades Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ 1 = signature on ( grades, 91, Adam ) σ = signature on ( grades, 87.3, mean )
16 Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean )
17 Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly.
18 Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean.
19 Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean. 3 Length efficiency: σ is short.
20 Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean. 3 Length efficiency: σ is short. 4 Privacy: σ reveals nothing about data other than the mean.
21 Trivial Solution: Verify the Whole Database sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ = {all scores and all signatures} Bob authenticates database, then computes mean himself.
22 Trivial Solution: Verify the Whole Database sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ = {all scores and all signatures} Bob authenticates database, then computes mean himself. Does not have length efficiency and privacy properties: σ is as big as entire database. Bob learns the whole database
23 Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject
24 Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject Correctness: Verify accepts if m = f (m 1,..., m k ). Security goal: no adversary can authenticate (m, f ) for m f (m 1,..., m k ). Privacy goal: if f (m 1,..., m k ) = f ( ˆm 1,..., ˆm k ) = m, no one can tell which data set σ was derived from.
25 Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject Correctness: Verify accepts if m = f (m 1,..., m k ). Security goal: no adversary can authenticate (m, f ) for m f (m 1,..., m k ). Privacy goal: if f (m 1,..., m k ) = f ( ˆm 1,..., ˆm k ) = m, no one can tell which data set σ was derived from. Linearly homomorphic signatures: messages m i are vectors. functions f are linear combinations.
26 Applications What are homomorphic signatures good for? f Linear functions Application Mean Fourier transform Network coding Regression models (time series data)
27 Applications What are homomorphic signatures good for? f Linear functions Subsets Application Mean Fourier transform Network coding Regression models (time series data) Message redaction
28 Applications What are homomorphic signatures good for? f Linear functions Subsets Polynomials Application Mean Fourier transform Network coding Regression models (time series data) Message redaction Standard deviation & higher moments Regression models (general data)
29 Applications What are homomorphic signatures good for? f Linear functions Subsets Polynomials Arbitrary circuits Application Mean Fourier transform Network coding Regression models (time series data) Message redaction Standard deviation & higher moments Regression models (general data) Non-linear estimators and regression Data mining (decision trees, SVM, etc.)
30 Application: Least Squares Fits
31 Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values.
32 Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M
33 Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x
34 Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values.
35 Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values.
36 Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values. For time series x values, c is linear function of y values.
37 Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values. For time series x values, c is linear function of y values. Census bureau stores signed population counts on server using linearly homomorphic signature. Server can authenticate coefficients of least-squares fit.
38 State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear functions Subsets Polynomials Arbitrary circuits
39 State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear [GM82], [B88], [P99], functions others Subsets Polynomials Arbitrary circuits [BGN05], [GHV10] (quadratic) [G09], [DGHV10], [BV11],[BGV12],[B12]
40 State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear [GM82], [B88], [P99], [KFM04], [CJL06], functions others [ZKMH07], [BFKW09], [GKKR10], [BF11a], [F12] Subsets [JMSW02], [ABC+12], others Polynomials [BGN05], [GHV10] [BF11b] (quadratic) (bounded degree) Arbitrary circuits [G09], [DGHV10], [BV11],[BGV12],[B12]
41 Recent Advances in Homomorphic Signatures
42 New Results [F12] Improved security for linearly homomorphic signatures: 1 Security based on harder problems. 2 Systems resistant to a stronger adversary. Achieved via a generic construction from existing (ordinary) signatures satisfying certain properties. Single framework gives many homomorphic schemes. Users can choose based on security/efficiency tradeoffs.
43 Security Based on Hard Problems Security paradigm: Show that any adversary that can forge a signature can be used to solve a computational problem believed to be hard. E.g.: Factoring: given N = pq, find p, q. RSA: given (N, x, e), find x 1/e mod N. Strong RSA: given (N, x), find some (e, x 1/e mod N).
44 Security Based on Hard Problems Security paradigm: Show that any adversary that can forge a signature can be used to solve a computational problem believed to be hard. E.g.: Factoring: given N = pq, find p, q. RSA: given (N, x, e), find x 1/e mod N. Strong RSA: given (N, x), find some (e, x 1/e mod N). Hierarchy of problems: solving (1) solving (2) solving (3). (converse not known to be true or false) Top of hierarchy: stronger security guarantees. Bottom of hierarchy: more efficient constructions.
45 Contribution 1: Constructions from Harder Problems Previous constructions of linearly homomorphic signatures: [GKKR10]: Based on RSA, requires ideal hash function (indistinguishable from random). [CFW11]: Based on Strong RSA, uses real world hash function (collision-resistant).
46 Contribution 1: Constructions from Harder Problems Previous constructions of linearly homomorphic signatures: [GKKR10]: Based on RSA, requires ideal hash function (indistinguishable from random). [CFW11]: Based on Strong RSA, uses real world hash function (collision-resistant). Our construction: [F12]: Based on RSA, uses real world hash function. Similar results using hierarchy of Diffie-Hellman problems.
47 Contrubution 2: Stronger Adversary Security model for homomorphic signatures:
48 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. Adversary sk
49 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. pk Adversary sk
50 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. pk file F = {m 1,..., m k } Adversary sk
51 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k Adversary
52 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k repeat Adversary
53 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary
54 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ).
55 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once.
56 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file.
57 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk tuple (F, i, m i ) sig σ F i forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file.
58 Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk tuple (F, i, m i ) sig σ F i forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file. Our new schemes are secure against the stronger adversary.
59 Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w).
60 Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w.
61 Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w. New idea: Tie together signature on F and hash of v: for public x and real-world hash function η, ( Sign(v) = x 1/η(F ), H hom (v) 1/η(F )).
62 Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w. New idea: Tie together signature on F and hash of v: for public x and real-world hash function η, ( Sign(v) = x 1/η(F ), H hom (v) 1/η(F )). This example derived from [GHR99] signatures; mechanism also applies to [BB04],[W05],[HW09],[LW10],...
63 Thank you! Questions? Job Offers? Comments?
Improved Security for Linearly Homomorphic Signatures: A Generic Framework
Improved Security for Linearly Homomorphic Signatures: A Generic Framework Stanford University, USA PKC 2012 Darmstadt, Germany 23 May 2012 Problem: Computing on Authenticated Data Q: How do we delegate
More informationImproved Security for Linearly Homomorphic Signatures: A Generic Framework
An extended abstract of this work will appear in Public Key Cryptography PKC 2012. This is the full version. Improved Security for Linearly Homomorphic Signatures: A Generic Framework DAVID MANDELL FREEMAN
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationProtean Signature Schemes
Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1 Digital Signatures 2 Digital Signatures
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationComputing on Authenticated Data for Adjustable Predicates
A short version of this work appears at ACNS 2013. This is the full version. Computing on Authenticated Data for Adjustable Predicates Björn Deiseroth Victoria Fehr Marc Fischlin Manuel Maasz Nils Fabian
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationPublic Key Encryption for the Forgetful
Public Key Encryption for the Forgetful Puwen Wei 1 Yuliang Zheng 2 Xiaoyun Wang 1,3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationSecurity II: Cryptography exercises
Security II: Cryptography exercises Markus Kuhn Lent 2015 Part II Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationHomomorphic Signatures for Polynomial Functions
An extended abstract of this work appears in Advances in Cryptology EUROCRYPT 2011, ed. K. Paterson, Springer LNCS 6632 (2011), 149 168. This is the full version. Homomorphic Signatures for Polynomial
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationLinearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures
An extended abstract of this work appears in Public Key Cryptography PKC 2011, ed. R. Gennaro, Springer LNCS 6571 (2011), 1 16. This is the full version. Linearly Homomorphic Signatures over Binary Fields
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationData-Mining on GBytes of
Data-Mining on GBytes of Encrypted Data In collaboration with Dan Boneh (Stanford); Udi Weinsberg, Stratis Ioannidis, Marc Joye, Nina Taft (Technicolor). Outline Motivation Background on cryptographic
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationTowards Append-Only Authenticated Dictionaries. Vivek Bhupatiraju, CS-PRIMES 2017
Towards Append-Only Authenticated Dictionaries Vivek Bhupatiraju, CS-PRIMES 27 Public-key Cryptography PK M e(m, PK SK Secure Channels - Having secure channels is becoming more and more necessary - Many
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationAnonymous Signatures Made Easy
Anonymous Signatures Made Easy Marc Fischlin Darmstadt University of Technology, Germany marc.fischlin @ gmail.com www.fischlin.de Abstract. At PKC 2006, Yang, Wong, Deng and Wang proposed the notion of
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationComparing With RSA. 1 ucl Crypto Group
Comparing With RSA Julien Cathalo 1, David Naccache 2, and Jean-Jacques Quisquater 1 1 ucl Crypto Group Place du Levant 3, Louvain-la-Neuve, b-1348, Belgium julien.cathalo@uclouvain.be, jean-jacques.quisquater@uclouvain.be
More information